>
    Enhancements for Authentication Using Smart Cards
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect User Authentication
    4. Set Up Two-Factor Authentication
    5. Enable Two-Factor Authentication Using Smart Cards
    6. Enhancements for Authentication Using Smart Cards
    Download PDF
    GlobalProtect

    Enhancements for Authentication Using Smart Cards

    Table of Contents

    Enhancements for Authentication Using Smart Cards

    Enhancements for Authentication Using Smart Cards-Authentication Fallback
    Where Can I Use This?
    What Do I Need?
    • GlobalProtect Subacription License
    • GlobalProtect app version 6.3.0 or later
    • GlobalProtect app running on Windows endpoints
    If you have configured Connect Before Logon-
    On-demand
     mode for the GlobalProtect app with smart card authentication as the authentication method, the app now provides the flexibility to the end users to authenticate to the app either using smart card or using their username/password. With this feature enabled, the GlobalProtect app displays two authentication profiles for the enduser in the
    Portals
     drop-down on the app homepage; a profile with
    <PIV>
     and another profile with
    <NO PIV>
    . From the two available options, the end users can choose their preferred authentication profile. The profile with
    PIV
     option allows the end user to authenticate to the app using the smart card authentication method whereas the profile with
    NO PIV
     option allows them to authenticate to the app using their username and password.
    For example, if end users forget to bring their smart card to work, they can choose the authentication profile with
    NO PIV
     from the
    Portals
     drop-down and can use their username and password to authenticate to the app. If smart card is available, they can use the profile with
    PIV
     and authenticate using smart card authentication.
    This feature will work only when ActivClient software is installed on the device.
    For the GlobalProtect app to display the authentication profile options with or without the PIV smart card, you must:
    1. Ensure that Connect Before Logon (CBL) is configured with
      On-demand
       mode for the GlobalProtect app.
    2. Select the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.
    3. In the Windows Registry, define the predeployment settings for the app to display the authentication profile options with
      PIV
       and
      No PIV
      .
      1. Launch the Command Prompt and enter
        regedit
         to open the Windows Registry.
      2. In the Windows Registry, go to:
        HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\
        .
      3. Click
        Edit
         and then select
        New
        String Value
        .
      4. When prompted, specify the
        Name
         of the new registry value as
        PIV-profile
        .
      5. Right-click the new registry value and
        Modify
         it.
      6. Set the
        Value Data
         to
        yes
      7. Click
        OK
        .
      To predeploy the setting from Windows Installer (Msiexec) use the following syntax:
      msiexec.exe / globalprotect64.msi /i PIVPROFILE=yes

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.